Header graphic for print

Government Contractor Compliance & Regulatory Update

Contractors with Access to Classified Information Now Subject to Heightened Reporting Requirements

Posted in Federal Contractors

Effective June 12, 2017, executive branch agency employees, contractors and subcontractors who have access to classified information or hold sensitive positions must report personal trips abroad as well as a wide range of foreign contacts. This new security directive, “Reporting Requirements for Personnel With Access to Classified Information or Who Hold a Sensitive Position,” was issued by the Office of the Director of National Intelligence and establishes fundamental reporting requirements while still allowing agency heads to impose additional reporting requirements in accordance with their respective authorities.

Specifically, under the directive, contractors who hold sensitive positions or have access to classified information must report all unofficial foreign travel and substantive foreign contacts to their agency head or designee. Contractors must receive approval prior to their foreign travel, with some exceptions, including:

  • Travel to Puerto Rico, Guam or other U.S. possessions and territories is not considered foreign travel and need not be reported; and
  • Unplanned day trips to Canada or Mexico must only be reported upon return, and such reporting must be within five business days.

Contractors with access to classified information must also report “unofficial contact with a known or suspected foreign intelligence entity” and any “[c]ontinuing association with known foreign nationals that involve bonds of affection, personal obligation, or intimate contact.” Contact with a foreign national that “involves the exchange of personal information” must also be reported.

In addition, the directive requires that contractors with access to secret and confidential information and/or top secret information report certain activities, such as:

  • Application for and receipt of foreign citizenship;
  • Application for, possession or use of a foreign passport or identity card for travel;
  • Attempted elicitation, exploitation, blackmail, coercion or enticement to obtain classified information; and
  • Media requests for classified information.

Finally, under the directive, contractors must alert agency heads of their coworkers’ actions in certain situations that touch security or counterintelligence concerns, including when a colleague:

  • Is unwilling to comply with agency rules;
  • Has unexplained affluence or excessive indebtedness;
  • Has apparent or suspected mental health issues that may impact the individual’s ability to protect classified information; or
  • Misuses government property or information systems.

These reporting requirements were approved in December as part of the Insider Threat Program initiated by then-President Barack Obama after several high-profile leaks of classified information.

Labor Secretary Defends OFCCP-EEOC Merger

Posted in OFCCP

As previously reported, the Trump Administration’s proposed budget for fiscal year 2018 includes a plan to merge the Office of Federal Contract Compliance Programs (“OFCCP”) into the Equal Employment Opportunity Commission (“EEOC”). Pragmatically, this would add the OFCCP’s broad responsibilities to an already overburdened EEOC, without providing the EEOC any additional funding to accomplish its newly added workload.

On June 7, 2017, Labor Secretary Alexander Acosta testified at a House Appropriations subcommittee hearing in support of the proposal. The Labor Secretary touted the merger as a “commonsense change” that “combines two civil rights agencies that already work together closely.”  The merger, according to Secretary Acosta would achieve a cost saving without reducing enforcement.

President Trump’s proposal appears to stem from a long standing recommendation by the Heritage Foundation, a conservative think tank in Washington, to eliminate the OFCCP on the ground that its function has become redundant. The proposal is also defended as part of President Trump’s goal – made explicit in the Executive Order issued on March 13, 2017 – to improve the efficiency of the executive branch by eliminating unnecessary agencies and components of agencies, and merging agency functions as necessary.

However, for the moment, the proposal appears unlikely to gain traction. As pointed out at today’s hearing by Rep. Barbara Lee (D-Calif), the NAACP and the US Chamber of Commerce – two entities that rarely agree with each other – both oppose the proposal. Indeed, seventy three civil rights groups, including the NAACP, sent a letter to Congress and to Secretary Acosta condemning the measure. And, as Secretary Acosta recognized at today’s hearing, any merger would require separate legislation to streamline the different functions of the two agencies.

We will continue to monitor developments on this issue.

Trump Administration’s Budget Proposes Major Changes For OFCCP

Posted in Department of Labor, OFCCP

On May 23, 2017, the Trump Administration released its proposed fiscal year 2018 budget. Not surprisingly, the budget proposes significant changes for the Office of Federal Contract Compliance Programs (“OFCCP”).  In the Department of Labor’s budget proposal, the Administration has laid the groundwork to merge the OFCCP into the Equal Employment Opportunity Commission (“EEOC”) by the end of fiscal year 2018.  The merger is touted as intended to promote “greater policy coordination, management efficiency, and cost-effectiveness.”  According to the Administration, maintaining OFCCP as a separate agency “does not take full advantage of the opportunities to improve employment civil rights protection.”  It is worth noting that although the merger is the focal point of the OFCCP budget proposal, it appears to have little support outside of the Administration. Indeed, opposition to the proposal is shared by both business groups and workers’ rights advocates.

In addition, the proposed budget:

  • Allocates $88 million to the OFCCP, a decrease of nearly $17.3 million (or 16.4%) from fiscal year 2017; and
  • Cuts the OFCCP’s headcount from 571 full-time equivalents (“FTEs”) to 440 FTEs, a reduction of 131 FTEs (nearly 23%) from fiscal year 2017.

The proposed budget identifies priorities for the OFCCP in fiscal year 2018, which include the EEOC-OFCCP merger and “combating pay discrimination through intensive contractor compliance assistance aimed at educating contractors about their contractual obligations, supporting their voluntary compliance with those obligations, and conducting high quality compliance evaluations.”

The budget document also announces that the OFCCP will establish its two “Skilled Regional Centers.” These centers, to be located in San Francisco and New York, “would have highly skilled and specialized compliance officers capable of handling various large, complex compliance evaluations in specific industries, such as financial services or information technology.”  These centers appear to be part of a plan to reduce the number of field area and district offices.

Of course, the President’s proposed budget is just a proposal for Congress to consider as it prepares its appropriation bills. We will continue to monitor and report significant developments in the budget process.

OFCCP Announces New Veteran Hiring Benchmark

Posted in OFCCP

The OFCCP has announced its 2017 Vietnam Era Veterans’ Readjustment Assistance Act (VEVRAA) Benchmark. The new benchmark is 6.7%, slightly lower than the previous year’s 6.9% benchmark.

The VEVRAA Benchmark is the figure which federal contractors must use to assess the effectiveness of their outreach programs for the hiring of veterans. Contractors may either use the OFCCP’s national benchmark, or establish their own benchmark using applicable statistics and other metrics set forth in OFCCP’s regulations (41 CFR §60-300.45(b)(2)).

BREAKING: Blacklisting Rule Is Officially and Completely Dead

Posted in Federal Acquisitions, Federal Contractors

Yesterday (March 27, 2017), President Trump signed into law a Congressional Joint Resolution of Disapproval (the “Resolution”), revoking the rules implementing the controversial Fair Pay and Safe Workplaces Executive Order, better known as the Blacklisting Rule.  The same day, President Trump issued a new Executive Order – The “Presidential Executive Order on the Revocation of Federal Contracting Executive Orders” – officially revoking the Fair Pay and Safe Workplaces Executive Order.

As federal contractors are well-aware, the Blacklisting Rule required federal contractors to disclose various “violations” of labor laws to the federal government, imposed new paycheck transparency obligations, created new employee arbitration restrictions, and imposed new independent contractor notification requirements.  Most of these requirements had been enjoined by a federal judge in October 2016, but some of the provisions – specifically, the paycheck transparency and independent contractor notification provisions – remained untouched by the ruling and went into effect January 1, 2017.

To revoke the Blacklisting Rule, Congress utilized the little-used Congressional Review Act (the “CRA”), which allows Congress to review new federal regulations and overrule them by passing a joint resolution within a certain period of time after the regulation is transmitted to Congress.  The CRA had only been used once before to successfully revoke a regulation.  The Resolution passed in the House of Representatives on a 236-187 vote on February 2, 2017.  On March 6, 2017, the Senate passed the Resolution by a narrow 49-48 margin.

With President Trump’s signature and implementation of his own Executive Order, the Rule has met its complete demise.

Renewed OFCCP Voluntary Self-Identification of Disability Form Now Available

Posted in Federal Contractors, OFCCP

Earlier today, the Office of Federal Contract Compliance Programs (OFCCP) announced that the Office of Management and Budget renewed the voluntary self-identification form for individuals with disabilities for an additional three years. This renewed Voluntary Self-Identification of Disability form is exactly the same as the prior form, except that it has a new expiration date of January 31, 2020.  Even so, federal contractors should start using this renewed form immediately.

The Voluntary Self-Identification of Disability form invites job applicants and employees voluntarily to self-identify as being an individual with a disability. The information collected on the self-identification form should be used by covered federal government contractors in determining that they have satisfied the utilization goal established by OFCCP and in conducting data analytics in connection with their affirmative action plans.

Trump Administration Will Retain LGBT Protections for Government Contractor Employees

Posted in Discrimination, OFCCP

Although the first eleven days of the Trump Administration have been full of activity and controversy, federal government contractors have been waiting to see if President Trump will undo or modify the compliance obligations imposed on them through the numerous Executive Orders issued by President Obama.

This morning (January 31, 2017) the White House announced plans with respect to one of those Executive Orders: Executive Order 11478 (the “Order”), which added sexual orientation and gender identity to the classes protected by Executive Order 11246.  According to the statement, the Order “will remain intact at the direction of President Trump.”  The announcement came the day after the press reported that the Trump Administration was contemplating overturning the Order or adding religious-freedom provisions.  The statement made today is silent on the latter point.

You can find our prior blog posts about the Order and its implementing regulations here and here .

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

Posted in Employment Law

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

EFFECTIVE TODAY: FAR Barring Certain Contractor Confidentiality Agreements

Posted in Federal Acquisitions

Today (January 19, 2017), the Employee Internal Confidentiality Agreements or Statements Federal Acquisition Regulation (the “Rule”) goes into effect.  The Rule prohibits the government from contracting with companies that require employees or subcontractors to sign “internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or subcontractors from lawfully reporting such waste, fraud, or abuse to a designated investigative or law enforcement representative of a Federal department or agency authorized to receive such information.”  The commentary to the Rule explains that “designated” representatives are employees of the applicable agency’s Office of Inspector General.  The Rule applies to all solicitations and contracts (including contracts for Commercial Off-the-Shelf items (“COTS”)) using fiscal year 2015 funds or funds from any subsequent fiscal year.

Going forward, contractors will be required to certify in connection with bids on new contracts or maintenance of existing contracts, that they have no non-compliant confidentiality agreements and will not enter into any non-compliant confidentiality agreements with their employees and subcontractors.  If the contractor represents that it has non-compliant agreements currently in effect, the contractor is ineligible for the new contract.

Excluded from the Rule are “confidentiality agreements arising out of civil litigation and confidentiality agreements that contractor employees or subcontractors sign at the behest of a Federal agency.”  Thus, contractors need not be concerned about settlements entered into during litigation or federally-mandated confidentiality agreements.

Key Takeaways

Contractors should immediately review their existing employee and subcontractor confidentiality agreements to ensure compliance.  To the extent any non-compliant confidentiality agreements exist, contractors should, consistent with guidance in the Rule, issue a notice to existing employees and subcontractors that such agreements, to the extent they conflict with the Rule, are no longer in effect, and have employees and subcontractors sign compliant confidentiality agreements.

Governor Cuomo Signs Executive Order Requiring State Contractors To Report Job Title And Pay Data

Posted in Employment Law, Labor Law

On January 9, 2017, New York Governor Andrew Cuomo signed an Executive Order that requires state contractors to disclose, in addition to data on gender, race, and ethnicity that is already required, job title and salary data for all of their employees working on state contracts (or their entire workforce if those working on state contracts cannot be identified). The Order, “Ensuring Pay Equity By State Contractors,” compels state contractors to disclose this data for all state contracts, agreements, and procurements issued and executed on or after June 1, 2017. Continue Reading